Clear desk procedures
Contractors must ensure ATO information is not accessible to unauthorised persons at any time. Where ATO information is accessed by contractors, clear desk procedures must be in place to prevent unauthorised access. Clear desk procedures must ensure ATO information is safeguarded while unattended, even for short periods during business hours. Similarly, electronic systems and networks must be protected from unauthorised access.
- Close-of-business security procedures are to include:
- logging off all systems and networks
- securing all ATO information appropriately
- ensuring all security containers, safes and rooms are locked
- ensuring all keys to security containers or rooms are secured against unauthorised access.
Storage of ATO information
The Australian Government Protective Security Policy Framework (PSPF) specifies minimum storage standards for the protection of official information.
ATO information must be stored in suitable commercial-grade storage containers or in a secure storag room within premises and align to the PSPF business impact level (BIL) matrix. The storage container or room must be approved by the ATO before the information is contained.
The essential physical security features the premises require are:
- tamper-evident barriers, resistant to covert entry
- an effective means of limiting entry to authorised people only, at all times.
See also:
Tamper-evident barriers
Tamper-evident barriers provide enough resistance to ensure that a person attempting to gain unauthorised entry and exit, without being apprehended, would have to damage or modify the barriers so it was obvious that a security incident had occurred.
This means ensuring perimeter walls and doors provide an effective barrier, and doors are fitted with high-quality locking mechanisms that provide a good level of resistance to covert entry.
The government has endorsed certain locks in their Security equipment evaluated products list for use in intruder-resistant areas. Physical Security Management can advise which locks meet these standards.
See also:
Entry control
The contractor must employ effective entry control measures to ensure only authorised persons can access areas that hold ATO information. Entry control may consist of a range of measures, such as:
- physical barriers
- electronic or mechanical devices
- guard, attendant or receptionist control
- visual recognition by employees
- passes or identity cards.
Effective visitor control, management and recording procedures must be in place.
A high-quality monitored intrusion alarm system, with appropriate response arrangements, will also be required to ensure an appropriate level of security protection outside working hours.
Maintenance records for electronic security equipment may be requested by ATO security assurance staff as required.
Certification
Contractor premises used for the storage, processing or production of ATO information must be endorsed as meeting appropriate standards of protective security by ATO Physical Security Management prior to commencement of services. Periodic reviews (as required – usually every 18 months) will be conducted by either Physical Security Management or an ATO approved representative (Security Construction and Equipment Committee (SCEC) consultant) to maintain certification standards.
Significant changes to contractor premises, equipment, business activities and tenancies may influence continuing certification and must be communicated to ATO Physical Security Management and ATO IT security as soon as possible.
Contractor systems used to access, process and store ATO information must be endorsed by the ATO IT Security Branch before starting services or negotiated with ATO IT security branch before starting services.
Visitors
Contractors must ensure that visitors to their premises are supervised to prevent unauthorised access to ATO information.
Keys and combinations
Keys and combinations must be given the same degree of protection as the information to which they provide access. This applies to keys and combinations for desk drawers, storage cabinets, safes, computer server racks, and office and building doors. Responsibility for keys and combinations to security containers should be assigned to a responsible person and, when not in use, locked in an SCEC approved security container. Only those authorised to access ATO information should be assigned custody of keys and combinations to storage facilities in which ATO information is secured.
Movement of classified information
The movement of information exposes it to additional risk. The principles for the secure movement of information involve:
- timely and uninterrupted handling
- secure methods of packaging, transport and delivery
- supervision and recording of all handling processes
- allocation of specific responsibilities (and training if necessary) to those involved with the movement of information.
Most of our non-electronic information can be moved by normal post or courier. If contractors use their own vehicles to transport ATO information, the vehicles must have cargo bays of solid construction - suitable materials include metal or fibreglass.
If the information is considered highly sensitive, advice should be sought from the relevant ATO contract manager, ATO Physical Security Management or ATO IT Security for other more secure options.
Electronic transfer
Specific measures are required to protect ATO information moved electronically. Any contractor plans or procedures for transferring ATO information electronically must be endorsed by the ATO IT Security Branch before starting services. This includes facsimile and data transmissions, and email over the internet.
Copying
The copying of ATO information is not allowed unless approval is negotiated with the contract manager and ATO IT security has been engaged. We may prohibit the reproduction of specified ATO information.
Opening requirements
Contractors should look for any signs of tampering when opening envelopes or wrapping containing our information. When it is known or suspected that an envelope or package has been tampered with, the matter must be reported to the relevant ATO contract manager and ATO Physical Security Management. In such cases, the envelope or package is to be retained for examination and not handled unnecessarily.
Removal of ATO information from contractor premises
Removal of ATO information from a contractor's premises is only permitted where there is a definite work-related need, appropriate protection can be maintained, and the removal is authorised by the relevant ATO contract manager.
Electronic media, such as laptop computers, removable media and disks, must be protected as per the requirements in the ISM. Laptops and portable electronic devices, in particular, carry additional risk because their intrinsic value makes them an attractive target for theft.
Employees removing classified material from your premises have an important role in the protection of that material. You must ensure your employees take practical measures to safeguard classified material at all times and protect it against unauthorised access.
Voice communications
You must take care to ensure conversations of a sensitive nature are not overheard by unauthorised persons, either at your premises or in public places. This particularly includes telephone and mobile phone conversations.
Telephones cannot generally be considered a secure means of communication and must not be used to discuss highly sensitive matters.
Cabling security
You must provide a cabling plan for all systems where ATO information is communicated and implement secure cabling and patch panels restricting access on a need-to-know basis. This must also include controls to prevent cross-contamination of systems. This must be provided before starting services.